Dynamic request matching

You are able to move this logic out into a class if it is too complex for
routes. This class must have a matches? method defined on it which
either returns true if the user should be given access to that
route, or false if the user should not.